I'm troubleshooting a problem with one of our vendors and plan to send them a Fiddler trace of the http traffic between the client and our servers while replicating the issue.

Our servers use NTLM authentication so the NTLM token is passed in the http authorization header. If the token captured in the Fiddler trace can be used by someone else to impersonate the authenticated user I need to scrub it from the trace. Is it necessary for me to scrub it?

1 Answer
1

Yes, you should remove the authorization header unless you are absolutely certain that NTLMv2 was being used.

NTLMv1 is very weak; somebody could easily brute force the password of your user, and then impersonating him or her. With NTLMv2 that is not possible.

Either version of NTLM authenticates the TCP connection with a random challenge/response, so there is no real danger of an attacker possibly reusing the token for impersonation.

Unfortunately, it is not possible to determine which NTLM version was used by looking at the token alone. You really need to check the NTLM security settings for both the client and the server at the time the TCP connection was established. If you cannot do that, remove the authorization header.